SECOND SUPPLEMENTAL
DECLARATION OF ROBERT W.
SCHUMANN (IN FURTHER
SUPPORT OF PLAINTIFFS'
MOTION TO MODIFY THE
JANUARY 20, 2000 ORDER OF
PRELIMINARY INJUNCTION
AND IN OPPOSITION TO
DEFENDANTS' MOTION TO
VACATE)

Second Supplemental Declaration of Robert W. Schumann

I declare, under penalty of perjury, as follows:

1. I am the President and Chief Executive Officer of Cinea, LLC, a digital
content security firm. This Declaration is submitted in further support of
plaintiffs' motion to modify the preliminary injunction issued in this case
on January 20, 2000 and in opposition to defendants' motion to vacate that
injunction. In this Declaration, I focus on the following:

a. Defendants' claim that DeCSS has no use in connection with the copying
or "piracy" of DVD movies.

b. Defendants' claim that widespread proliferation of DeCSS is justified
because there is legitimate academic, commercial or scientific value in doing
so.

2. I make this Declaration based upon my own personal knowledge. including
my review of the declarations submitted on behalf of the defendants discussed
below, as well as other documents and things referred to in this declaration.
I could and would competently testify to the matters set forth below should
I be called as a witness before this Court.

3. Defendants claim that there is no evidence of copying or piracy as a result
of the use of DeCSS. In doing so, defendants ignore one fundamental truth
which is inescapable - - that DeCSS is designed and functions to decrypt
and copy the DVD content to the computer hard drive. This copying
process was described in detail in my original declaration in this action,
dated January 19, 2000. See ¶¶ 2-4. Indeed, as I
noted, "[s]uch copying is not an essential step to decryption or viewing
of CSS-protected DVD content and would not be desirable from a functional
standpoint if the purpose of the utility was to allow playback rather than
copying."

4. Defendants premise that DeCSS does not enable "piracy" is mistaken unless
defendants intend to exclude the real threat faced by content owners in the
Internet era: the unauthorized copying and transmission by and among a vast
number of individual computer users of copyrighted works utilizing compression
technologies that enable a considerable amount of data to be copied, stored
and transferred in a much more manageable form. Compare Stevenson Decl. at
¶ 21 ("I've seen no direct evidence indicating any commercial piracy
using that utility [DeCSS]. In part, I believe this is because 'pirates'
who wish to sell movies need to put them on media that is convenient for
distribution.")

5. As explained below, the explosive growth of the Internet as a means to
'pirate' copyrighted works of entertainment does not depend, at all, upon
the creation of counterfeit discs but, instead, relies entirely on computer-based
storage and file transfer technologies, without the need to ever reduce the
unauthorized copy to a physical disc, such as a DVD or CD. Perhaps the best
known example is the use of so-called "MP3" (which is itself a compression
technology) that has become ubiquitous in the digital copying and transmission
of audio recordings on the Internet. Such technologies are not, however,
confined solely to use in connection with audio recordings. For example,
the well-known "Napster' system over which there has been considerable press
coverage, see Exh. 1, (and which is the subject on ongoing litigation)
also has a recently released variant, referred to as "Wrapster," which enables
the digital copying and Internet transmission of other types of copyrighted
material including audiovisual works. See e.g., Exh. 2.

6. Even more threatening, however, is the emergence of high ratio compression
technologies, such as DivX. This compression technology enables users to
take a full length movie and "shrink" it considerably in size, far reducing
the amount of storage space and transfer time required to make a movie available
on the Internet. See, e.g., "Movie pirates hitting prime time (Thanks
to new compression scheme, film piracy thrives on the Net)," CNBC & The
Wall Street Journal.Business, May 10, 2000, Exh. 3 hereto. One of defendants'
many declarants recognized as much: "there are also indications that future
codecs (compression methods) will allow full-length movies to be stored on
a single CD-Rom . . .". See Stevenson Decl., ¶ 28.

7. Moreover, while the various examples cited in defendants' papers rely
on fairly low bandwidth devices, such as 56K modem connections, the real
users of these technologies already enjoy and have access to systems of far
greater bandwidth. For example, most colleges and universities provide 100Mbps
ethernet connections to all dorm rooms, and the cost of 100 Mbps ethernet
adaptors for PCs is well under $30. A 5 gigabyte DVD disc image can be
transferred over a 100 Mbps ethernet link in under 7 minutes, and can be
easily watched over that same link without even requiring storage on the
receiving computer. That same 5 gigabyte DVD image when compressed using
a high compression Codec such as DivX will have a size of approximately 1.2
gigabytes allowing it to be transferred on that same 100 Mbps link in under
2 minutes, or stored for posterity s sake on 2 CD-R discs which currently
cost less than $1 each.

8. As may already be apparent, the most concentrated activity in the unauthorized
digital copying and Internet transmission of pirated copies occurs among
college-age students. This is not only because of the demographics of age
and interest, but also because access to wideband systems is readily available
to them. See Exh. 4. These wideband systems are becoming increasingly
common elsewhere. See Exh. 5.

9. A front page article of the New York Times was recently devoted
to the emergence of a host of new "file-sharing" technologies, such as Gnutella,
Imesh, FreeNet and others. See Exh. 2. One of the principal threats
posed by many of these technologies is their anonymity. They enable users
to copy and transfer digital content in a manner that is virtually undetectable
because there is no central index or server through which information or
content is routed. As a result. these technologies enable users who download
the enabling software to host, transmit, request and receive any variety
of copyrighted matter, including audiovisual content, through an almost infinite
network of computers containing like software. These systems are decentralized
and structured in such a way that no one user can ascertain the identity
or location of the files of any of the thousands or millions of other users
with whom he or she is connecting, much like a "spy network" prevents any
one participant from knowing more than a few contacts that can be "compromised."
These technologies have received considerable attention since their emergence
in the past two or three months precisely because of the threat posed to
content owners. See, also The Washington Post, "E-Power to the People,
New Software Bypasses Internet Service Providers," May 18, 2000, Section
A, pg. 1, Exh. 6 hereto.

10. The value of DeCSS in this context has not gone unnoticed. A recent article
in the Toronto Star explains precisely how a computer user can take
advantage of the DivX compression technology described above, in combination
with DeCSS to enable the decryption, copying and storage of DVD movies.
See Exh. 3. See, also, "DVD 'Ripping ' Revisited, Toronto Star,
May 4, 2000,Exh. 7 hereto (explaining how DivX compression technology
can be used in conjunction with DeCSS to decrypt and compress DVD movies).

11. In effect, these file-sharing technologies enable users to highly compress
and transmit unauthorized copies of movies over the Internet via broadband
connections (any single transmission to a single student on a college campus
will then suffice as a ready source for proliferation throughout that entire
community). DeCSS, as a decryption device, enables the user to decrypt and
copy the DVD film in digital form to accomplish this.

12. The impact of these new technologies is obvious. Indeed, many of them
were not even publicly known at the time of the January 20 hearing in this
matter. These technologies are not only being refined and further developed
constantly, see, e.g., Exh. 8, but the combination of increased bandwidth,
high ratio compression devices and DeCSS, makes the unauthorized digital
copying and electronic transmission of DVD movies a reality. A decryption
device such as DeCSS is an essential element of this form of piracy. Just
like the unauthorized copying and file-sharing of MP3 audio recordings, which
until recently were confined to the fringe elements of the Internet, the
ready availability of DeCSS to decrypt DVD movie content threatens to create
a huge market for the widespread unauthorized copying and electronic transmission
of copyrighted DVD films.

13. Defendants contend that the use of DeCSS in connection with such Internet
piracy of movies is impractical, if not impossible. Thus, in paragraph 10
of Matt Pavlovich's Declaration, there is a statement to the effect that
"[a]ny effort to simply play the unencrypted content stored on a harddisc
or other large medium would be futile, due to the fact that there is no known
player that can play from anything but a DVD disc." This is wrong. Using
DeCSS I copied and decrypted all of the files from the movie "You've Got
Mail" to the hard drive of a new Windows 98-based PC. After the copying was
complete. I attempted to play back the decrypted movie from the files on
the hard drive using a variety of commercial DVD software. All of the packages
used allowed me to view the basic movie content and one of the packages (XingDVD)
allowed me to play back the entire set of files with full DVD functionality.
The playback devices included the Windows MediaPlayer software which ships
with the Windows 98 operating system. The playback software that I tested
was: PowerDVD, XingDVD, Windows MediaPlayer, and WinDVD. All of these software
packages are readily available for downloading from the Internet. The audio-video
playback was flawless and of exactly the same quality as that experienced
when the content was viewed directly from the DVD disc itself.

14. Defendants claim that existing writeable DVD technologies are incompatible
with each other and with commercially available DVD players. Although defendants
are incorrect in large part (DVD-R is compatible with all existing DVD drives
and DVD-RW will be readable in newer generation drives), defendants seem
to ignore the real point. That is, there is no need for someone to copy or
"burn" movie content onto a portable disc such as a DVD or CD-Rom when it
can be stored and accessed via the Internet. Compare Gilmore Decl. at ¶
21; Stevenson Decl. at ¶ 21. Indeed, this is precisely the pattern now
engaged in with respect to unauthorized audio recordings on the Internet
and is effectively the same model upon which the new "file-sharing" technologies
described above are based, with the capability to share video files. In this
context, the alleged incompatibility of various storage media is largely
irrelevant since movie files can be stored on digital tape, on accessory
hard drives or the like and accessed and transmitted via the Internet without
the need to access or play a particular type of physical disc as part of
the process. One can store compressed video files on the following storage
media at little cost: Online storage using hard drives, the most expensive
option, can be had for as little as $210 for a 30 Gigabyte disc drive, enough
storage for 20 DivX compressed motion pictures. Offline storage is considerably
cheaper. For example, 4MM DAT tapes for the Sony DD2-2 tape drives cost as
little as $9 each: each tape is capable of holding 3-5 DivX compressed motion
pictures. Finally writeable CDs are widely available for less than $1 each,
with only two of them needed to hold a DivX compressed motion picture.

15. Defendants also contend that one need not use DeCSS to achieve this result.
Chris DiBona's Declaration, ¶¶ 16-21 suggests that even a CSS licensed
DVD player enables copying of the file data into the hard drive. What Mr.
DiBona does not make clear in his declaration, however, is that this data
remains encrypted and thus, cannot be played from the hard drive, at least
in a CSS licensed DVD player. Thus, contrary to Mr. DiBona's suggestion,
an authorized DVD playing program is not "a DeCSS equivalent," since DeCSS
decrypts and copies the unencrypted data to the hard drive or other storage
medium. As explained above, in paragraph 3 of this declaration, the copying
of the unencrypted data is neither necessary nor appropriate to such a playback
function. For this reason, CSS licensed Linux players (there are at least
two to my knowledge, see Exh. 10) follow the regime mandated for CSS
licensed DVD players in preventing user access to the unencrypted data file
for any purpose other than playback. The quality problems experienced by
Mr. DiBona and other of the declarants have nothing to do with CSS or DeCSS
and are purely a function of the player environment. DeCSS would not cause
a diminution in playback quality of either audio or video elements. One does
not "play back" through DeCSS as such, because DeCSS is not a player.

16. Although defendants justify the indiscriminate proliferation of DeCSS
as part of a legitimate reverse engineering effort to develop an unlicensed
Linux-based DVD player, the fact remains that unrestricted distribution of
this utility does little to serve such a reverse engineering process, for
a number of reasons. First, the premise that DeCSS has value in analyzing
the operation of the DVD player itself is suspect. There are a considerable
number of DVD discs that are released without CSS encryption and can be and
have been used in the development of the DVD player function. See Exh.
11. It is also possible to create and analyze any set of DVD structures by
creating test content using a variety of low-cost authoring tools. These
include tools such as the "Sonic DVDit!" tool which is already bundled with
consumer PCs. See Exhibit 12. It is particularly cumbersome to conduct reverse
engineering of DVD by means of unencrypted movie content stored on a hard
drive. To "debug" from such a file containing billions of bits is literally
like looking for a needle in a haystack. It is far more helpful to use DVD
analysis tools instead. To the extent that the study of CSS itself is relevant,
defendants declarant, Wagner, acknowledges that there is little need to do
so because DeCSS "effectively . . substituted for or constituted that part
of the entire job of reverse engineering a DVD player." Wagner Decl., ¶
16. That is, DeCSS is not being used for study, but rather for its
decryption/copy function. Moreover, as another of defendants' declarants
acknowledged in a comment he made on the Internet about the value of reverse
engineering in this context:

[since] most cryptanalysts don't have the skills for reverse-engineering
(I find it tedious and boring), they never bother analyzing the systems.
This is why COMP128, CMEA, ORYX, the Firewire cipher, the DVD cipher, and
the Netscape PRNG were all broken within months of their disclosure (despite
the fact that some of them have been widely deployed for many years); once
the algorithm is revealed, it's easy to see the flaw, but it might take years
before someone bothers to reverse-engineer the algorithm and publish it.
Contests don't help.

Statement of Bruce Schneier, August 26, 1999, Exh. 13.

17. This becomes even more apparent when one considers the proliferation
of DeCSS in object code form. As Mr. Wagner acknowledges, there is little
to be discerned from object code iterations of DeCSS: "[H]igh-level source
code is much easier for humans to understand than the low-level computer
instructions found in DVD players". See Wagner, ¶ 16. Arguments
concerning the need to proliferate DeCSS as part of a reverse engineering
effort thus fall short of justifying widespread dissemination of the object
code utility.

18. Nonetheless, defendants' declarants seem to focus almost entirely on
source code, rather than the object code versions of DeCSS that are being
proliferated. Thus, Dr. Touretzky's site, apparently created after
the Court's January 20, 2000 injunction, is one which he claims does not
make "the binary executable file for the program known as DeCSS'' available.
Touretzky Decl. at ¶ 2. Posting source code is not, however, always
the norm. The curriculum vitae attached to Mr. Stevenson's declaration makes
clear that he considered his hack (of a Norwegian security company's encryption
system) as one which "deemed keeping the details of this finding secret as
the most responsible course of action." The persons who were engaged in
development of an unlicensed Linux DVD player expressed similar concerns
about the propriety of posting DeCSS to the Internet. See, e.g,
attachments to Exh. B of my earlier Reply Declaration.

19. I am troubled by the notion that academic, scientific or other interests
would enable persons to furnish a decryption program (in source or object
code) with impunity, particularly where its publication is a subterfuge for
providing the utility. I believe that Dr. Touretzky actually makes this point
quite clearly in his declaration. He claims to have assembled a variety of
different source code iterations of DeCSS and to have posted them to his
web site solely to prove that any of these source code versions can be readily
converted or compiled into an executable utility. I do not regard this as
an exercise in reverse engineering. I am also hard-pressed to understand
why commentary on code would necessarily require posting or linking to it
in a manner which enables others to download and use it as a utility. I find
it ironic that, on the one hand, defendants claim that CSS was an ineffective
security device but on the other hand, that there is great interest in studying
it and, for that reason, its wholesale proliferation on the Internet should
be justified.

20. As I explained in my recent deposition, CSS is certainly not a weak
encryption program; it was not "cracked" until some three years after it
was embodied in authorized DVD players and discs and then, as stated above,
only after the algorithm was disclosed. See Exh. 14.

21. The suggestion that CSS was a weak system because it was cracked is a
meaningless test of its "effectiveness." As declarant Wagner acknowledges,
the whole purpose of cryptography and security testing is to defeat security
systems. According to Wagner, it is "fundamentally impossible" to secure
any such system against the efforts of dedicated individuals. If this premise
were in any way controlling, there would be absolutely no need for any law
whatsoever with respect to hacking or circumvention. Just because a small
set of individuals can break the code does not mean that CSS is ineffective
as an encryption device. This would be like saying that just because certain
professional safe-crackers are capable of '"cracking" a bank vault, that
bank vaults are not considered effective security devices.

22. Defendants also suggest that DeCSS is not unique and that there are other
readily available utilities which perform essentially the same function.
See, e.g., Stevenson Decl., ¶¶ 16-18, where Stevenson claims
that DODsripper "predates DeCSS" but, at the same time, claims that until
DeCSS was made available, existing tools were impractical to use. In fact,
DODsripper and the later "PowerRipper" discussed in ¶ 18 of Mr. Stevenson's
declaration do not perform the same function as DeCSS, for the following
reasons: PowerRipper is fundamentally different in that it does not even
perform the actual decryption. PowerRipper requires the use of separate DVD
playback software to actually read and decrypt the content. PowerRipper then
parasitically attaches itself to the legitimate player and takes the decrypted
content from the computer's RAM and send it to the hard-drive for storage.
PowerRipper is significantly less functional than DeCSS in several respects,
including a very cumbersome and difficult to use environment due to the multitude
of programs required. More importantly, PowerRipper is only able to extract
the content actually "viewed" through the normal player, thus many additional
features, additional soundtracks, etc. are not available. DOD's SpeedRipper
solved some of the deficiencies in Power Ripper. most notably that SpeedRipper
performed the CSS decryption itself, thus not requiring an external "viewer"
program. SpeedRipper has several problems though, which made it a far less
useful device than DeCSS as a stand-alone decryption device. It did not have
a Windows user interface and is very cumbersome to use, and most importantly
does not have a complete CSS decryption implementation. SpeedRipper was unable
to decrypt the movie "The Matrix," as noted in one of the postings attached
as Exhibit C to my January 19, 2000 Reply Declaration. DeCSS solved these
deficiencies in SpeedRipper, providing a more robust CSS decryption capability
and a standard, and easily used, Windows interface. Some of the other software
mentioned in Stevenson's Declaration (paragraph 14), includes CSS_auth which
is not a decryption device, CSS_ descramble.c which is source code for the
CSS decryption algorithm; anonymous source.c which is also CSS source code
for the decryption algorithm and CSS_cat, which will, with other tools, perform
a decryption function, but has no real user interface, unlike DeCSS. There
is also a program called readdvd (Gilmore, paragraph 14) which also has no
real user interface. I believe that the reason why DeCSS is being so widely
proliferated is because it is in the Windows environment and is far more
effective and far easier to use than any other unauthorized program that
could be used to decrypt CSS.

23. As I also stated in my recent deposition, CSS and the decryption of it
via DeCSS has nothing to do with protecting so-called regional coding or
any mechanism which prevents consumers from fast-forwarding through the initial
audiovisual information contained on a DVD disc (which includes copyright
infringement warnings. and the like). Defendants are incorrect in their claim
that DeCSS is necessary to bypass what they regard as an offensive restriction
on their ability to play DVD discs universally or to bypass some alleged
inability to fast-forward through promotional trailers at the beginning of
a disc. See Exh. 15. I note that Mr. Corley claims not to even own
a DVD player or to have utilized DeCSS, so I am not sure why he believes
this to be the case.

24. Finally, defendants suggest that browser programs of users automatically
convert plaintext references to hyperlinks without any action on the part
of the person who posted the plaintext reference, e.g., on a web page. This
statement is attributed to Professor Moglen. From my reading of his declaration,
he made no such claim. (There is an unsupported statement to this effect
in ¶ 5 of the Fries declaration.)

25. In my previous Supplemental Declaration of April 3, at paragraph 5, I
discussed that some commercially available software will automatically convert
plaintext references to worldwide web addresses into hyperlinks, but only
for authoring or non-browser software such as Word. While theoretically possible
for a browser to perform this function, this seemed to me not only to be
unlikely, but unnatural and counter to the basic function of a browser, which
is to display the received HTML following the specific instructions contained
within the HTML command syntax. HTML has very clear distinctions between
"plaintext" and hyperlinked, or other specialized. text. To test this, I
built a small text string described as both a "hyperlink" and as plaintext.
I have attached as Exh. 16 the results of viewing this HTML document on the
two most popular browsers used (Netscape, versions 6.0b1 and version 4.6,
and Internet Explorer v3.03). As is evident, none of these browsers converts
the plaintext, "www.yahoo.com" or "http://www.yahoo.com" into hyperlinks.
As Professor Moglen well knows, links do not admit of any discretion in the
sense that Professor Moglen suggests. Professor Moglen's arguments (¶
10 of his Declaration) about the lack of control that the linking party has
over the content contained on the "linked to" site would seem to have nothing
to do with the issues in this case. See my April 3, 2000 (First)
Supplemental Declaration at ¶ 8.

I declare under penalty of perjury, that the foregoing is true and correct.